Determine When to Include Processing Integrity into Your SOC 2 Audit

Processing Integrity is one of the five Trust Service Principles to help determine the scope of your SOC 2 Audit.

Each time you need to schedule a Service Organization Control 2 (SOC 2) audit for one of your service organizations, it is important that you decide which of the five Trust Service Principles you want and/or need to include in the resulting report from your SOC 2 audit.

As a quick refresher, the Trust Service Principles (TSP) are:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

The only TSP that is required in any SOC 2 audit is security. The rest of the TSPs—including processing integrity—are optional for inclusion, according to your general focus or specific concerns.

What Is Processing Integrity?

As defined above, processing integrity provides assurance that everything in the audited system is complete, valid, accurate, timely and authorized to fully satisfy the entity’s objectives.

The processing integrity criteria tests associated with the SOC 2 audit set out to reveal that there are no errors in processing. If there are any errors, processing integrity also assures timely correction.

Processing integrity criteria also focuses on inputs and outputs to the system, ensuring they are accurate throughout the processing of any actions within the system.

Finally, the criteria involved with processing integrity spotlight the data itself, as far as how it is stored and maintained while under the service organization’s care and responsibility.

Why Is Processing Integrity Important for A SOC 2 Audit?

Any time that a user entity enlists the outside sourcing of a service organization, it is important to know the key points of the service organization’s operations.

It is particularly important to determine that the system itself has the appropriate levels of integrity to protect the user entity’s information, along with knowing that the system—including hardware, software and cloud applications—is completely accurate, valid, timely and properly authorized.

Processing integrity is a vital part of a SOC 2 audit for the sake of ensuring the service organization is abiding by its agreement that mandates operational and technical parameters within which the service organization must comply.

You will know that your service organization is operating with processing integrity exists if the system performs all of its intended functions in an unimpaired manner, with no unauthorized or inadvertent manipulation.

Why You May Choose to Include Processing Integrity with a SOC 2 Audit

There are a few reasons that a user entity may decide to include processing integrity in an SOC 2 audit, including:

• If transactions do not fulfill the level of completeness necessary, according to the agreement.
• It there is duplication in processing, or there is a disconnect between the standard business values and expectations of the user entity, the validity of the service organization’s processing integrity comes into question.
• If the user entity suspects or has detected errors that may have been introduced into its information and control procedures via outside sources. If this user entity engages several service organizations, an audit can help pinpoint the issue at its source.
• If key information associated with submitted transactions is inaccurate, user entities may require a SOC 2 report on processing integrity to get to the core of the issue with a specific service organization.
• If there are frequent delays in the provision of services or the delivery of goods—especially on an ongoing basis—a closer look at the service organization’s processing integrity may help both parties resolve the issue, quickly and fully.
• If the user entity has reason to believe that processing related to their system is being performed by users without required approvals and privileges at the service organization, they may request a processing integrity review to ensure that only those with proper authorization work with their transactions.

Generally, when things are running smoothly and according to a detailed agreement, user entities have little reason to request this particular TSP. However, it is a highly useful tool to sort out smaller issues before they can grow and become bigger problems, or even catastrophic messes.

Related article: What Are the Differences? SOC 1 vs. SOC 2 Reports.

Do You Need to Perform A SOC 2 Audit with A Focus on Processing Integrity?

Are you worried about issues related to processing integrity at one of your service organizations? If so, our team at IS Partners, LLC. can help you sort things out.

We can sit down with you to look at the issues that have caught your attention to determine whether a processing integrity focus will uncover the underlying problem. If you decide to go forward with a SOC 2 audit and processing integrity review, we can help you get to the bottom of it all, so you can maintain a healthy professional partnership with your service organization.

Call us at 215-675-1400 or request a SOC Audit quote!

About The Author

David Dunkelberger

During his 25-year career, David has successfully delivered assurance, business advisory and investigative services to the financial institutions industry, primarily commercial banks and insurance companies. Additionally, he possesses solid competencies in risk-based auditing and internal control evaluation, and has generated significant cost savings for clients engaged in Sarbanes-Oxley compliance. He has held senior positions in both public accounting and private industry.

Prior to joining IS Partners, LLC, David managed forensic investigations at a nationally-recognized accounting firm and provided fraud detection, forensic investigation and litigation support services for the FDIC.

David graduated from Temple University in Philadelphia, PA.